Spotify Fined $5.4 Million for Breaching GDPR Data Regulations
Spotify has been fined SEK 58 million ($5.4 million) by a Swedish regulator for breaching the General Data Protection Regulation (GDPR) of the European Union. The violation pertains to the way the company manages users’ personal data and their access to it.
Advocacy group Noyb, led by privacy campaigner Max Schrems, filed a complaint against Spotify and other major tech companies in early 2019. In the complaint, Noyb claimed, among other things, that Spotify did not provide all personal data to users upon request and that it has not disclosed the reasons for processing such data.
The Swedish Data Protection Authority (IMY) found that while Spotify provides users with personal data that it processes upon request, it “does not provide sufficient clarity on how the company uses this data”. It said Spotify should be more transparent about “how and for what purposes individuals’ personal data is processed”. Due to the lack of clarity, “it has been difficult for individuals to understand how their personal data is being processed and to check whether the processing of their personal data is lawful,” the IMY added.
The regulator said it considered the issues to be of “low severity” and noted that Spotify has taken steps to address them. IMY determined the fine based on these factors as well as Spotify’s revenue and number of users. It said it made the decision with the help of other EU data protection authorities because Spotify has users in many countries.
“Spotify provides all users with comprehensive information about how personal data is processed,” the Sweden-based company told TechCrunch in a statement. It said the regulator “found only minor points in our process that they believe need improvement. However, we do not accept the decision and intend to appeal.